-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs #61
Conversation
👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into |
@franferrax This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been no new commits pushed to the As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@jerboaa, @gnu-andrew) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
This backport pull request has now been updated with issue from the original commit. |
Webrevs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks mostly fine.
private static final Debug debug = Debug.getInstance("certpath"); | ||
|
||
// SHA-256 certificate fingerprints of distrusted roots | ||
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList( | |
private static final Set<String> FINGERPRINTS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(...))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in e96486d, please note that the SYMANTEC_TLS
distrust policy (which I checked for this backport) does not make the FINGERPRINTS
set immutable either:
// SHA-256 certificate fingerprints of distrusted roots | |
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList( | |
// cacerts alias: geotrustglobalca | |
// DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US | |
"FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A", |
Should we also update SymantecTLSPolicy.java
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Should we also update
SymantecTLSPolicy.java
?
No, not in this bug. Feel free to do this as an 8u-only fix via jdk8u-dev pr. The original backport to 8 of https://bugs.openjdk.org/browse/JDK-8207258 didn't do this. That's one of the gotchas of Set.of()
backports. It's not terribly important.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a common case, as Severin implies. For the test library, we added internal versions of the listOf
and setOf
methods to better handle this. It has the advantage that the same error checking (null values, duplicates) is present as on the methods in later JDKs.
I can look at moving that to an internal JDK class instead to cover library cases, and fix the Symantec case then. No reason to delay this critical fix for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
|
Adding @gnu-andrew for awareness. According to the Crypto Roadmap, this change is targeting 8u, and planned for the October CPU. 23u, 21u, 17u and 11u backports are already integrated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backport looks good to me. Missing collection and time methods are ported to suitable 8u equivalents. java.security
changes are duplicated to the set of files in 8u.
I see differences with entrustrootcag4-chain.pem
but this seems to be because 11u's version has CRLF line endings for some reason. The 8u one is actually correct in using the usual line endings.
I'm aware of the fix from 21u. Backport looks good so feel free to apply for approval so we can get this in the October release. |
I'll also take a look at the PR you reference for the tests and see if we can get that fixed in -dev. It won't change these results though. |
I hadn't noticed this, the original version has mixed CR and CRLF, and it got fixed when adjusting and applying the patch. If you prefer it to be a verbatim copy I can easily modify it to match the original.
Thanks, here is the approval request. |
No need to change it. If anything, 11u should be fixed.
Thanks, I didn't see the /approve yes |
@gnu-andrew |
Ok, just for the record, 17u, 21u, 23u and mainline also have the mixed line endings in
Yes, I manually filled the request in the JBS because other backports requests were done in that way, and I was wondering which label the |
/integrate |
@franferrax |
/sponsor |
Going to push as commit 39221f8. |
@gnu-andrew @franferrax Pushed as commit 39221f8. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Hi, here is a JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs backport, based on openjdk/jdk11u#95.
After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor
java.security-<platform>
context mismatches. You can verify this comparing 00beb50 against openjdk/jdk11u@90ad5b1.On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134. I made these adjustments in line with 68e393c, the 8u backport of JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs.
Testing
I run
jdk/tier1
and all the tests underjdk/test/sun/security/ssl
, using 64-bit slowdebug and release images, locally built in Fedora Linux 40. Please note that this includes the newX509TrustManagerImpl/Entrust/Distrust.java
, which I've also made fail by temporarily undoing thejava.security-linux
changes. I haven't found any regression againstmaster
(currently e32d62e).Regarding the failures in GitHub Actions, we can see that this also occurred in recent
jdk8u-dev
pull requests. For example:security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
com/sun/jdi/PrivateTransportTest.sh
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
sun/misc/CopyMemory.java
gc/concurrentMarkSweep/CheckAllocateAndSystemGC.java
compiler/unsafe/OpaqueAccesses.java
Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u.git pull/61/head:pull/61
$ git checkout pull/61
Update a local copy of the PR:
$ git checkout pull/61
$ git pull https://git.openjdk.org/jdk8u.git pull/61/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 61
View PR using the GUI difftool:
$ git pr show -t 61
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk8u/pull/61.diff
Webrev
Link to Webrev Comment